AWS,NodeJS - 在另一个EC2实例上将应用程序连接到Mongodb

时间:2022-01-06 01:38:51

I am trying to connect my app, running on one EC2 instance, to MongoDB, running on another EC2 instance. I'm pretty sure the problem is in the security settings, but I'm not quite sure how to handle that.

我正在尝试将在一个EC2实例上运行的应用程序连接到另一个EC2实例上运行的MongoDB。我很确定问题出在安全设置中,但我不太清楚如何处理。

First off, my app's instance is in an autoscaling group that sits behind an ELB. The inbound security settings for the instance and ELB allow access to port 80 from anywhere, as well as all traffic from its own security group.

首先,我的应用程序的实例位于一个位于ELB后面的自动缩放组中。实例和ELB的入站安全设置允许从任何地方访问端口80,以及来自其自己的安全组的所有流量。

The EC2 instance that runs Mongo is able to take connections if the security group for that instance accepts all inbound traffic from anywhere. Any other configuration that I've tried causes the app to say that it cannot make a connection with the remote address. I've set rules to accept inbound traffic from all security groups that I have, but it only seems to work when I allow all traffic from anywhere.

如果该实例的安全组接受来自任何地方的所有入站流量,则运行Mongo的EC2实例能够建立连接。我尝试过的任何其他配置都会导致应用程序无法与远程地址建立连接。我已设置规则来接受来自我所有安全组的入站流量,但只有当我允许来自任何地方的所有流量时,它似乎才有效。

Also, my db instance is set up with an elastic ip. Should I have this instance behind an ELB as well?

此外,我的数据库实例设置了弹性IP。我也应该在ELB后面有这个实例吗?

So my questions are these:

所以我的问题是:

1) How can I securely make connections to my EC2 instance running mongo?

1)如何安全地连接到运行mongo的EC2实例?

2) In terms of architecture, does it make sense to run my database this way, or should I have this behind a load balancer as well?

2)在体系结构方面,以这种方式运行我的数据库是否有意义,或者我是否应该在负载均衡器后面进行此操作?

This issue is tripping me up a lot more than I thought it would, so any help would be appreciated.

这个问题比我想象的要多得多,所以任何帮助都会受到赞赏。

NOTE

I have also set the bind_ip=0.0.0.0 in /etc/mongo.conf

我还在/etc/mongo.conf中设置了bind_ip = 0.0.0.0

1 个解决方案

#1


2  

Your issue is that you are using the public elastic IP to connect to your database server from your other servers. This means that the connection is going out to the internet and back into your VPC, which presents the following issues:

您的问题是您使用公共弹性IP从其他服务器连接到数据库服务器。这意味着连接将进入互联网并返回到您的VPC,这会出现以下问题:

  1. Security issues due to the data transmission not being contained within your VPC
  2. 由于数据传输未包含在您的VPC中而导致的安全问题

  3. Network latency issues
  4. 网络延迟问题

  5. Your database server's security group can't identify the security group of the inbound connections
  6. 您的数据库服务器的安全组无法识别入站连接的安全组

Get rid of the elastic IP on the MongoDB server, there is no need for it unless you plan to connect to it from outside your VPC. Modify your servers to use the private internal IP address assigned to your database server when creating connections to it. Finally, lock your security group back down to only allow access to the DB from your other security group(s).

摆脱MongoDB服务器上的弹性IP,除非您打算从VPC外部连接到它,否则不需要它。在创建与服务器的连接时,修改服务器以使用分配给数据库服务器的专用内部IP地址。最后,将安全组锁定为仅允许从其他安全组访问数据库。

Optional: Create a private hosted zone in Route53, with an A record pointing to your database server's private IP address, then use that hostname instead of the internal IP address.

可选:在Route53中创建一个专用托管区域,A记录指向数据库服务器的专用IP地址,然后使用该主机名而不是内部IP地址。

#1


2  

Your issue is that you are using the public elastic IP to connect to your database server from your other servers. This means that the connection is going out to the internet and back into your VPC, which presents the following issues:

您的问题是您使用公共弹性IP从其他服务器连接到数据库服务器。这意味着连接将进入互联网并返回到您的VPC,这会出现以下问题:

  1. Security issues due to the data transmission not being contained within your VPC
  2. 由于数据传输未包含在您的VPC中而导致的安全问题

  3. Network latency issues
  4. 网络延迟问题

  5. Your database server's security group can't identify the security group of the inbound connections
  6. 您的数据库服务器的安全组无法识别入站连接的安全组

Get rid of the elastic IP on the MongoDB server, there is no need for it unless you plan to connect to it from outside your VPC. Modify your servers to use the private internal IP address assigned to your database server when creating connections to it. Finally, lock your security group back down to only allow access to the DB from your other security group(s).

摆脱MongoDB服务器上的弹性IP,除非您打算从VPC外部连接到它,否则不需要它。在创建与服务器的连接时,修改服务器以使用分配给数据库服务器的专用内部IP地址。最后,将安全组锁定为仅允许从其他安全组访问数据库。

Optional: Create a private hosted zone in Route53, with an A record pointing to your database server's private IP address, then use that hostname instead of the internal IP address.

可选:在Route53中创建一个专用托管区域,A记录指向数据库服务器的专用IP地址,然后使用该主机名而不是内部IP地址。